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Abstract. Spatial conjunction is a powerful construct for reasoning about dynamically al- 
located data structures, as well as concurrent, distributed and mobile computation. While 
researchers have identified many uses of spatial conjunction, its precise expressive power 
compared to traditional logical constructs was not previously known. 
In this paper we establish the expressive power of spatial conjunction. We construct an 
embedding from first-order logic with spatial conjunction into second-order logic, and more 
surprisingly, an embedding from full second order logic into first-order logic with spatial 
conjunction. These embeddings show that the satisfiability of formulas in first-order logic 
with spatial conjunction is equivalent to the satisfiability of formulas in second-order logic. 
These results explain the great expressive power of spatial conjunction and can be used 
to show that adding unrestricted spatial conjunction to a decidable logic leads to an un- 
decidable logic. As one example, we show that adding unrestricted spatial conjunction to 
two- variable logic leads to undecidability. 

On the side of decidability, the embedding into second-order logic immediately implies the 
decidability of first-order logic with a form of spatial conjunction over trees. The embedding 
into spatial conjunction also has useful consequences: because a restricted form of spatial 
conjunction in two-variable logic preserves decidability, we obtain that a correspondingly 
restricted form of second-order quantification in two- variable logic is decidable. The result- 
ing language generalizes the first-order theory of boolean algebra over sets and is useful in 
reasoning about the contents of data structures in object-oriented languages. 

Keywords: program specification, separation logic, spatial conjunction, second-order 
logic, shape analysis, two-variable logic 

1 Introduction 

Separation logic with spatial conjunction operator was introduced as a technique for 
local reasoning about shared mutable data structures [25,44] and proved to be remark- 
ably effective [4,5, 12, 13,43,45]. Similar constructs are present in formalisms based on 
process calculi and ambient calculi [10, 1 1, 14-17, 35]. 

Despite the increasing range of results and applications of separation logic, the pre- 
cise expressive power of spatial conjunction constructs is often not known. For example, 
the authors in [14,20] use the formalism of edge-labelled multigraphs and observe great 
expressive power of spatial logic for describing paths in a graph, but suggest that the 
relationship with second-order logic in this setting is not straightforward. 

In [30, 3 1 ] we defined the notion of spatial conjunction for arbitrary relational struc- 
tures. Our notion of spatial conjunction splits relations into disjoint subsets and has a 
natural semantics that works for relations of any arity. The interpretation over relational 
structures is an important step in enabling the combination of spatial conjunction with 
the traditional first-order and second-order logics [2, 24, 39] and their fragments. One 



such decidable fragment of first-order logic that is useful for reasoning about the heap is 
two-variable logic with counting [23], whose variable-free counterpart is role logic [28]. 
In [30,31] we present a combination of two-variable logic with spatial conjunction 
defined on relational structures and show that it is useful for specifying generalized 
records that formalize role constraints [27]. To preserve the decidability of the nota- 
tion, [30] imposes the following restriction on spatial conjunction: spatial conjunction 
may only be applied to formulas of (counting) quantifier nesting at most one. Under this 
assumption, we show that spatial conjunction can be eliminated using syntactic opera- 
tions on formulas, which means that spatial conjunction not only preserves decidability, 
but leaves the expressive power of two-variable logic with counting unchanged. 

Given the results in [30], a natural question to ask is: are we imposing an unneces- 
sarily strong restriction by not allowing application of spatial conjunction to formulas 
with nested quantifiers; in particular, what is the decidability of logic that allows spatial 
conjunction of formulas with two nested quantifiers? The present paper gives an an- 
swer to this question: we establish that allowing spatial conjunction for formulas with 
nested quantifiers leads to an undecidable logic. This undecidability result turns out to 
be a consequence of an unexpectedly fundamental connection: spatial conjunction can 
represent second-order quantification. We obtain a striking contrast on the expressive 
power of logic depending on the use of spatial conjunction: if applied to formulas with 
no nesting of first-order counting quantifiers, the result is still two-variable logic with 
counting; if applied to formulas with nested first-order quantifiers, the resulting formu- 
las can represent second-order formulas. This contrast can be viewed as a justification 
for the restriction imposed in [30]. 

Because it applies to both decidable and undecidable logics, the embedding of 
second-order logic into spatial conjunction yields not only undecidability, but also de- 
cidability results. Using the restriction on the use of spatial conjunction with the trans- 
lation of second-order quantifiers yields a decidable notation with second-order quanti- 
fiers. This notation leads to a generalization of boolean algebra of sets to two-variable 
logic with counting extended with a form of second-order quantification; such notation 
is useful for reasoning about data structure abstractions [32, 33]. 

We also note that graph reachability, inductive definitions, spatial implication, and 
a parameterized version of spatial conjunction are all expressible in second-order logic. 
An interesting consequence of the embedding of second-order quantifiers into spatial 
conjunction is that all these constructs are expressible using spatial conjunction alone. 

Moreover, the converse embedding holds as well: spatial conjunction is expressible 
in second-order logic. Together, these two results lead to a particularly simple charac- 
terization: spatial conjunction and second-order logic are equivalent (see Proposition 1 
and Proposition 2 for the precise formulation of this equivalence). 

The translation from spatial logic to second-order logic also has useful conse- 
quences. Namely, if we restrict the set of models to unions of trees, then monadic 
second-order logic is decidable. By translating restricted spatial logic formulas to 
monadic second-order logic, we obtain that spatial logic is decidable over trees as well. 

In general, the equivalence for satisfiability between spatial conjunction and second- 
order logic improves our understanding of spatial conjunction and suggests that the 
definition of spatial conjunction on relational structures is a natural one. While it is 
less surprising that second-order logic can express the definition of spatial conjunction 
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(we have observed this already in the technical report [31]), we found it quite sur- 
prising that spatial conjunction in first-order logic can express the entire second-order 
logic. The idea of both directions of our translation is remarkably simple, and this sim- 
plicity is reflected in the linear time complexity of formula translations: translation of 
spatial conjunction connectives into second-order logic mimics the semantics of spa- 
tial conjunction in terms of the existence of disjoint relations, and the translation from 
second-order logic into spatial conjunction takes the advantage of the non-determinism 
in splitting of the heap to simulate the existential quantifier. 

Contributions. We summarize the contributions of this paper as follows. 

1. We construct an equivalence-preserving translation of spatial conjunction into 
second-order quantifiers. We then show that this translation implies decidability 
of the first-order logic with a spatial conjunction interpreted over tree structures, 
when spatial conjunction splits only unary predicates. 

2. We construct a satisfiability-preserving translation of second-order quantifiers into 
spatial conjunction, and derive the following consequences: 

(a) first-order logic with spatial conjunction has the expressive power of second- 
order logic, even if restricted to two first-order variables, and even if spatial 
conjunction is applied only to formulas of first-order quantifier nesting at most 
two (similar result holds for parameterized spatial conjunction that splits only 
unary predicates: the resulting logic is equivalent to monadic second-order 
logic); 

(b) two-variable logic with counting extended with second-order quantifiers that 
apply only to formulas with quantifier nesting at most one can be translated 
into two-variable logic with counting, and is therefore decidable; 

(c) graph reachability, inductive definitions, spatial implication, and generalized 
spatial conjunction are all expressible using first-order logic with spatial con- 
junction. 

2 Preliminaries 

In this section we present our definitions of relational structures as well as the semantics 
of second-order logic and spatial conjunction. 

2.1 Relational Structures 

Figure 1 presents the semantics of second-order logic formulas in relational structures, 
which is mostly standard. We use Var to denote first-order variables with typical repre- 
sentatives x, Xi. We use S to denote second-order variables (predicates), with a typical 
representative P, or P^ when we wish to specify that the predicate symbol has arity 
k; alternatively we write ar(P) = k. 

For convenience we fix a universe U of all relational structures in a given context; 
we assume U is countable, but the cardinality of U does not play an important role 
for us. A relational structure, denoted e, is a valuation for first-order and second-order 
variables. As in first-order logic, for a first-order variable x, e(x) E U is an element 
of the domain, and for a predicate symbol P of arity ar(P) = k, e{P) C [/ ar ( fc ) is a 
relation of arity k. In this way we merge the model and the variable assignment, which 
makes it natural to define second-order quantification as in Figure 1 . If v is a first-order 
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M[xi = X2je 
M{P {k) {x 1 ,...,x k )\e 
M{F 1 hF 2 \e 
M^Fje 
M[3x.F]e 
M[3?W.f]e 

Fig. 1. Semantics (Interpretation) of Second-Order Formulas in Relational Structures 

or second-order variable, we use the standard notation e[v := a] to denote the updated 
relational structure such that e[v := a](v) = a and e[v := a](vi) = e(vi) for v\ ^ v. 
We treat equality in formulas as a logical symbol and interpret it in the standard way. 

2.2 Spatial Conjunction 

Figure 2 introduces our notion of spatial conjunction, denoted ©. We illustrate the in- 
tuition behind the definition of © in terms of combining the structures for which the 
formula is true. Suppose S = {P^} has only one binary relation symbol, so the rela- 
tional structures are graphs. If e\ is a structure such that .MJ-FiJei and e 2 is a structure 
such that -MJi^Je^ then if the edges of e\{P^) and e 2 (P( 2 -*) are disjoint, the struc- 
ture with relation e(P (2) ) = ei(P^) U e 2 (P (2) ) satisfies M\Fi ©F 2 ]e. In general, 
there is one relation e for each pair of models ei and e 2 that can be combined. There 
are three models of Fx © F 2 in Figure 2; there is only one pair of relations that cannot 
be combined, because of an overlapping edge from w to x. 

The definition of spatial conjunction in Figure 2 is identical to the one we use in [30, 
31]. In our setup, similarly to other notions of spatial conjunction [15,25], a formula 
Fx © F 2 holds for a relational structure if and only if the structure can be split into two 
disjoint structures where Fx holds for the first component and F 2 holds for the second 
component. The difference with [15] is that we use general relational structures which 
correspond to labelled graphs as opposed to multigraphs. Our notion of splitting of 
relational structures, given by condition splitStruct cr (e, ex, e 2 ), reduces to partitioning 
each relation in a. For the definition of spatial conjunction © we let a = S where 
S is the set of all relation symbols; it is also natural to allow a generalized spatial 
conjunction ©^ in Figure 3 that takes the set of predicate symbols a as an argument, 
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M[F 1 ®F 2 \e <S> 3ei,e 2 . splitStruct^e, ei, e 2 ) A 7W[Fi]ei A X[F 2 ]e 2 

splitStruct CT (e,ei,e 2 ) -4^ /\ r£(T splitRel(e(r), ei(r), e 2 (r)) A 

A rei ;\ CT (ei(r) = e(r) A e 2 (r) = e(r)) 

splitRel(r,ri,r 2 ) (r = n U r 2 A n n r 2 = 0) 




Fig. 2. Semantics of Spatial Conjunction ©. 

M\F 1 ® <J F 2 \e 4^ 3ei,e 2 . splitStruct CT (e,ei,e 2 ) A _M[Fi]ei A M{F 2 \e 2 
F 1 ®F 2 F!® E F 2 

Fig. 3. Parameterized Spatial Conjunction © CT 

then splits relations in a and preserves the relations in E \ a. For example, if we let 
a = S^, then the conjunction © CT splits only unary relations. The results of this paper 
imply that ®s corresponds to full second-order logic, whereas ©^<i) corresponds to 
monadic second-order logic. 

Our definition of spatial conjunction above is not the only one possible, but there 
are several reasons to consider it as a natural definition of spatial conjunction: 

- Our definition is close to the definition of [25]. A relational structure can represent 
a store by modelling each store location as a pair of an object and one of the finitely 
many predicate symbols; this view is appropriate for type-safe languages such as 
Java, ML, and O'Caml. 

- The only difference compared to [15] is that we use relations as sets of tuples 
where [15] uses multigraphs as multisets of tuples; we believe that our results can 
provide useful insight into languages such as [15] as well. 

- With the appropriate definition of spatial implication — ® (Figure 8) corresponding 
to conjunction ©, our model validates the axioms of bunched implications [25,42]. 

- We can naturally describe concatenation of generalized records [30, 3 1 ] , which can- 
not be expressed using standard logical operations. 

The main claim of this paper is that our notion of spatial conjunction is equivalent 
for satisfiability to second-order quantification. This equivalence can be viewed as an- 
other argument in favor of the definitions we adopt. We proceed to demonstrate both 
directions of the equivalence, and then present some consequences of the result. 
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3 Representing Spatial Conjunction © in Second-Order Logic 

In this section we give a translation from the first-order logic with spatial conjunction 
to second-order logic. The consequence of this translation is an upper bound on the ex- 
pressive power of spatial conjunction. Because our translation applies to all relational 
structures, if we restrict the set of relational structures so that second-order logic be- 
comes decidable, then the corresponding spatial logic is decidable on the restricted set 
of structures as well. 

a = {P 1: ...,P n } 

spatial conjunction elimination: 

T m ^ 2 \F' ® CT F"] = 3P[, . . .,P^,P", P». 

AJLiSynSplitRel(Pi,tf,i?') A 
F'[P := f?]? =1 A F"[P := P/']™ =1 

synSplitRel(P, P' , P") = Vxi,...,x k . 

{P{x u ...,x h )<* P'(x u . .. ,x k ) V P"(x u . . .,x k )) A 
-<(P'(xi, . . . , Xk) A P"(xi, . . . ,x k )) 
k = ar(P) = ar(P') = ar(P") 

recursive translation function: 

1ZT®„ 2 [xi = x 2 \ = (xi = x 2 ) 

n% J ^ 2 {P {k \x 1 ,...,x k )\ = P<»»(n,..,i t ) 

KT^IF! A P 2 ] = ^T®^ 2 [Pi] A ^ m2 [F 2 ] 
TZT @ ^F] = -,KT 9 „2[F] 
nT m „ 2 \3x.F} = ^x.TZT^lF] 
7lT® M2 [3P (fc) .P] = 3P w .1ZT m ^ 2 [F] 
TZT^lFi © F 2 \ = T^pZT^lFij ® E ^T 8m2 [P 2 ]] 
KT 8h2 [Fi F 2 ] = T^plT^lF!] ® sW ^T Sm2 [P 2 ]] 

translation correctness lemmas: 

M[F'[Pi := P/]" =1 ](e[P/ := n]f =1 ) = X[P'](e[P := ri ]? =1 ) f or P fresh in F' 
M\T @ „ 2 \F}}e = M\F}e 
MplT^ 2 [F]je = M[F]e 

Fig. 4. Translation of Spatial Conjunction into Second-Order Logic 

Figure 4 presents the translation from first-order logic extended with spatial conjunction 
into second-order logic. The translation directly mimics the semantics of © and follows 
from the fact that second-order logic can essentially quantify over its entire domain and 
can express disjointness of relations. Indeed, the truth value of a formula depends only 
on finitely many first and second-order variables, and second-order logic can quantify 
over each of these variables, which amounts to quantification over relational structures. 

The translation in Figure 4 introduces two fresh predicate symbols P!, P" for each 
predicate symbol Pi and asserts that P[ and P" split Pj. The translation then replaces 
the predicates Pj with the corresponding predicates P[ in the first formula F', and 
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replaces the predicates Pi with the predicate P" in the second formula F". The cor- 
rectness of the translation follows from the definitions, using lemmas in Figure 4 and 
structural induction. We conclude the following. 

Proposition 1. IfF is a second-order logic formula potentially containing spatial con- 
junction, then KT®^ IF] is an equivalent second-order logic formula without spatial 
conjunction; we have A^[7?.7® h -»2[^ 1 ]] e = -MjFje /or all relational structures e that 
interpret F. Moreover, if F is a monadic second-order logic formula with ® s ti) as the 
only spatial conjunction operator, then the resulting formula is a monadic second-order 
logic formula. 

4 Representing Second- Order Quantifiers using © 

This section shows that second-order quantifiers can be represented using spatial con- 
junction. Among the consequences of this result are the fact that first-order logic with 
spatial conjunction has the expressive power of second-order logic (even if restricted 
to two first-order variables where the spatial conjunction connects only formulas of 
first-order quantifier nesting at most two), that two-variable logic with counting ex- 
tended with second-order quantifiers that apply only to formulas with quantifier nesting 
at most one is decidable, and that inductive definitions, spatial implication, and general- 
ized spatial conjunction are expressible using first-order logic with spatial conjunction. 

Figure 5 presents the translation of second-order quantifiers into spatial conjunction. 
As in the case of the converse translation in Section 3, the intuition behind the transla- 
tion is to exploit the semantics of spatial conjunction in Figure 3. This time, however, 
we use the more complex operation — splitting of relational structures — to simulate an 
existential quantifier over relations, which leads to apparent difficulties. At first sight 
it appears that heap splitting fails to have the effect of an existential quantifier over a 
relation predicate, for two reasons: 

1. splitting relational structures splits existing relations, which means that the inter- 
pretations of relations in the resulting structure are subsets of the interpretation of 
relations in the enclosing structure; 

2. splitting of relational structures splits all relations, and not just the interpretation of 
one predicate. 

We solve both of these problems when translating a formula F with second-order quan- 
tifiers, as follows. We first rename all bound second-order variables (denoted BV2(F )) 
to ensure that they are all distinct and that they differ from the free variables in F . In 
the translated formula, even the bound second-order variables B\Z2(F ) become free 
second-order variables, which are allowed in first-order logic. To solve the first prob- 
lem, instead of considering all possible relational structures e, we consider only those 
relational structures that map the variables B\Z2(F ) to full relations; we use the con- 
junct allpreds to ensure that only such structures are considered for the interpretation of 
the final translated formula JPT^sp'b]- We translate the formula using the recursive 
translation function denoted ^^©[i* 1 ], which walks the formula tree and applies the 
translation of the existential quantifier. The translation of the existential quantifier, de- 
noted 72^©[-], replaces the quantifier BP. F with the formula nonebut(P) ® F. The 
spatial conjunct nonebut(P) solves the second problem above, by asserting that all rela- 
tions other than P are empty, and leaving the interpretation of relation P unconstrained. 
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BV2(F) — second-order variables bound in F 

V2(F) — second-order variables in F 

Fo — a formula without spatial conjunction © 

assumption: all bound variables in Fo are mutually distinct and 
distinct from free variables in F () 

allpreds = Wx. f\ Q(x) 

Q£BV2(F ) 

nonebut(F) = Wx. f\ ~<Q(x) 

QeV2(F )\{P} 

translation of second-order quantifier: 
T 2m ®[3F.F] = nonebut(F) © F 

recursive translation function: 

HT 2 ^®\x 1 = x 2 j = (xi = x 2 ) 

TZT 2 ^{P ( - k \x 1 ,...,x k )\ = P^(x u ...,x k ) 

TZT 2 ^ [Fi A F 2 ] = m 2 „ % [Fi] A 1IT 2 „® [F 2 ] 

7er 2 ^®hF] = ^t 2m ®[f] 

FAT 2mS px.F] = 3x.FAT 2MiS [F] 
^T 2 „ e [3F< fc >.F] = T 2m@ [3F«. ^T 2MiS [F]] 
final translation of a formula: 
FT 2m ®[F ] = allpreds A ftT 2 „ @ [F () ] 
translation correctness lemmas: 

M[3F.F]e = A^T 2M(S [3F.F]]( e [F-[/ ar ( p >]) 

M[F ]e = A4[FT 2 ^[F ]](e[F-(7 ar ( p »]p e BV2(F )) 
3e.7W[F ]e 3e.X[FT 2M(B [F ]]e 

Fig. 5. Translation of Second-Order Quantifiers into Spatial Conjunction 
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As a result, the interpretation of P in F is arbitrary, achieving the effect of existential 
quantification, and the interpretations of the remaining quantifiers remain the same, as 
desired. 

Soundness of the translation in Figure 5 is given by equisatisfiability, or equiva- 
lence on a reasonably restricted class of structures, as summarized by the following 
proposition. 

Proposition 2. Let Fq be a second-order logic formula in which each bound variable 
is distinct from all other variables in Fq. Then TTi^,® \Fq\ is a formula in first-order 
logic with spatial conjunction, such that F has a model if and only if .FT^© [-Fb] 
has a model. Moreover, if e ranges over structures that assign full relations to predi- 
cate symbols not free in Fq, then the transformation is equivalence preserving, that is, 
A4\Fo\e if and only if M.\TT2^®\Fo\\e. Finally, if all second-order quantifiers in Fq 
are monadic, then Fq can be translated into formula containing only ® s w instead of 
©. 

5 Consequences of the Equivalence 

This section presents the consequences of the equivalence between spatial conjunction 
and second-order quantification. 

5.1 Spatial Conjunction on Tree Structures is Decidable 

This section summarizes one interesting consequence of the equivalence between spa- 
tial conjunction and second-order logic with respect to tree structures. 

Let us restrict our attention to relational structures that interpret predicates of arity 
at most two. Such relational structures correspond to graphs with labelled nodes and 
edges. We say that a relational structure is a forest if the directed graph obtained by 
erasing all labels is a directed forest, where by a directed forest we mean a directed 
graph with no cycles where each node has an in-degree at most one. We then have the 
following lemma. 

Lemma 3. If e is a forest, and splitStruct^e, e\, e?) holds, then both e\ and ei are 
forests. 

The previous lemma easily follows by contraposition: if e\ or e 2 have a cycle so does e, 
and if e\ or e 2 have a node with in-degree two or more, so does e. This lemma implies 
that, when evaluating the meaning .MJi^Je of formula in first-order logic with spatial 
conjunction, it suffices to restrict the top-level structure e to be a forest for all structures 
occurring in the semantics of subformulas of F to be forests, which means that the se- 
mantics of spatial conjunction over forests is equivalent to the semantics in Figure 1 . 
Using Proposition 1 we then obtain as a special case .MjFje ^=^> AipZT®^ [-Fl] e - 
By decidability of monadic second-order logic over trees [18], we conclude the follow- 
ing. 

Proposition 4. The satisfiability ( and therefore the validity) problem of first-order logic 
extended with spatial conjunction ® S d) is decidable. 
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5.2 Undecidable Extension of Two- Variable Logic 

This section notes a consequence of Proposition 2 on extensions of decidable fragments 
of first-order logic with spatial conjunction. It is motivated by the following fact, proven 
in [30]: 

Fact 5. Two variable logic with counting extended with spatial conjunction on formu- 
las with no nested counting quantifiers is decidable. 

A natural question to ask is: what is the decidability of the notation if we allow spatial 
conjunction of formulas with quantifier nesting two or more. The answer is that the 
resulting notation is undecidable. Namely, if we have only binary relation symbols, we 
obtain a logic equivalent to full second-order logic, and already first-order logic in the 
language with binary relation symbols is undecidable. 

The reason for obtaining second-order logic when allowing spatial conjunction of 
formulas with nested quantifiers is that it is possible to simulate first-order quantifiers 
using second-order quantifiers. We can represent a first-order variable such as a; by a 
second-order variable P x bounded by the property 3\z.P x {z), and then replace each 
binary relation symbol f(x, y) with a formula of the form 

Vu.Vu. P x (u) A P y (v) =>- f(u,v), (1) 

which uses only two first-order variables and has quantifier nesting of two. Similarly, 
the use of a unary relation symbol P(x) can be replaced by Vu. P x (u) =>■ P{u). 

Now consider a second-order logic formula with binary and unary relation symbols 
and no restrictions on the number of first-order variables. As described above, we can re- 
duce such formula to an equisatisfiable formula that uses only two first-order variables. 
We can then apply the translation in Figure 5 to eliminate second-order quantifiers. 
Because formulas allpreds and nonebut(P) have the quantifier depth at most one, the 
result is a formula with spatial conjunction that is applied to quantifiers of depth at most 
two and that uses at most two first-order variable names. Moreover, the resulting for- 
mula is equisatisfiable by Proposition 2. Because the satisfiability of second-order logic 
formulas is undecidable, the translation of second-order logic formulas into formulas 
with spatial conjunction implies undecidability of formulas with spatial conjunction 
applied to formulas with quantifiers depth of two or more. 

Proposition 6. Two variable logic with counting extended with spatial conjunction © 
on formulas with quantifier nesting at most two is undecidable. The result applies to 
spatial conjunction ® E w as well. 

5.3 Decidable Second-Order Quantification in Two- Variable Logic 

We next state a positive consequence of the Fact 5 and Proposition 2. 

Proposition 7. Two variable logic with counting extended with second-order quantifi- 
cation on formulas with no nested counting first-order quantifiers is decidable. 

Just like the previous Proposition 6, Proposition 7 follows from applying the translation 
in Figure 5 and observing that the resulting formula has no nested first-order quantifiers, 
and is equisatisfiable by Proposition 2. Applying Proposition 5, we can decide the sat- 
isfiability of the resulting formula, which gives the satisfiability of the original formula 
as well. 
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To see why Proposition 7 is interesting, note that Proposition 7 places no restrictions 
on the number of second-order quantifiers used on a formula with no nested first-order 
quantifiers. Next, recall that monadic second-order logic of a set (with no relation sym- 
bols) is just the first-order logic of boolean algebra of sets, which is decidable by quan- 
tifier elimination [48] (for an overview of quantifier elimination for boolean algebra see, 
for example, [29]). We therefore observe that the language permitted by Proposition 7 
is a proper generalization of boolean algebra of sets; it is a generalization that allows 
stating set properties in a neighborhood of a pair of objects given by two free variables 
of a formula in two-variable logic with counting. 

While we have found the first-order theory of boolean algebra of sets to be useful for 
reasoning about the content of global data structures [32], the generalization presented 
in this section allows reasoning about sets that exist in the neighborhood of an object 
denoted by a first-order variable. In other words, this specification language allows us 
to reason about the content of data structures associated with individual objects (which 
are common in object-oriented programming languages), as opposed to just reasoning 
about global data structures. 

Comparing the results of this section and Section 5.2, we note the crucial role of the 
restriction on quantifier nesting: with no nested first-order quantifiers, it is not possible 
to use second-order variables to simulate first-order variables because it is not possible 
to establish the correlation of the form (1). 

5.4 Expressing Inductive Definitions and Spatial Implication 

We next review the fact that inductive definitions (and therefore transitive closure) are 
definable in second-order logic. This fact is of interest because it implies that inductive 
definitions can be represented using spatial conjunction, which leads to a surprising 
conclusion that inductive definitions do not increase the expressive power of first-order 
logic with spatial conjunction. We similarly observe that the spatial implication corre- 
sponding to spatial conjunction is expressible in second-order logic and therefore ex- 
pressible using spatial conjunction. All these consequences follow from Proposition 2. 

M[\AncP^\xi,...,x k )=FmG\ 44 M\G[P^ := LFP p((c);ci ^ F]j 

M{LFP p{k) ^^ Xk F( yi ,...,y k )]e 44 

(e( yi ),...,e(y k )) £ lfp(Ar.{(«i, . . . , v k ) \ M[F]e[P w := r, Xl := vi,...,x k := v k ]) 

Fig. 6. Semantics of Inductive Definitions 

Figure 6 presents the semantics of inductive definitions. The syntax of the least- 
fixpoint operator is 

LFP pW;Xli ... ;Xfe F(y 1 , ...,y k ) 

where F is a formula that may contain new free variables P^ , x\, . . . , x k . The mean- 
ing of the least-fixpoint operator is that the relation which is the least fixpoint of the 
monotonic transformation on predicates 

(Axi, . . .,x k .P^ k \xi, . . .,x k )) h-> (Xxi, . . .,x k .F) 

holds for j/i, . . . , y k . To ensure the monotonicity of the transformation on predicates, 
we require that P^ occurs only positively in F. 
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77nd^ 2 [LFP pWiXij ..^ n F(y u . . .,»„)] = 
VP. (Vi-i, ...,x„.(F-& P(x u x„))) P( yi , ...,y n ) 

Soundness: 

7W[7f nd ^ 2 [LFP p(fe)iXii . xn F(m, . . . ,y„)]]e = A<[LFP pWi(eii ... ilSn F(j/i, . . . , y„)]c 

Fig. 7. Expressing Least Fixpoint in Second-Order Logic 

Figure 7 shows that least fixpoint operator is expressible in second-order logic. The 
property that P is a fixpoint of F is easily expressible. To encode that y\ , . . . , y n hold 
for the least fixpoint of F, we state that y\ , . . . , y n hold for all fixpoints of F, using 
universal second-order quantification over P. 

M\F'^®F"\e -44 Ve',e". (splitStruct^e", e, e') A M\F'\e') => M\F"\e" 
T m „4F'^>F"} = VPl,..., P' n , Pi',..., P». 

(A^synSplitReK^'.Pi,^) A F'[P := P/]? =1 ) => 
F"[P t := P"}? =1 

Fig. 8. Semantics of Spatial Implication 

Figure 8 presents the semantics of the spatial implication operation that along with 
spatial conjunction © validates the axioms of bunched implications [25,42]. Figure 8 
also presents the translation of — ® into second-order logic; the translation is analogous 
to the translation of spatial conjunction in Figure 4. (As usual, the universal quantifiers 
can be expressed using the existential quantifier and negation.) 

We summarize the results of this section as follows. 

Proposition 8. Graph reachability, inductive definitions, spatial implication, and gen- 
eralized spatial conjunction are all expressible using first-order logic with spatial con- 
junction. 

6 Related Work 

The use of separation logic for reasoning about shared mutable data structures started 
recently [25,44] using ideas from [9] and proved very fruitful [5, 12, 13,43,45]. Our 
notion of spatial conjunction is defined on relational structures rather than on map- 
pings from memory locations to values, but our model can represent a location as a 
pair containing 1) an object and 2) one of the finitely many field names. Relational 
structures can naturally represent memory models of languages with destructive up- 
dates [8,34,36,37,46,47,51] and can also model concurrency and temporal logic spec- 
ifications [52,53]. 

Process calculi [11] and ambient calculi [17] can reason about space and locality 
as well as concurrency; these ideas also extend to graph-based structures [14, 15]. The 
results closest to ours are are [14, 15,20]; they are based on edge-labelled multigraphs, 
and do not establish the full equivalence with second-order logic. Graph-based struc- 
tures in [15] are close to the relational structures that we use, but use multisets of edges 
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instead of sets of edges. Similarly to spatial logic, type systems for reasoning about 
aliasing [21,22,49,50] typically contain join operators that combine independent por- 
tions of store, although they are often based on linear types as opposed to separation 
logic. 

Our work clarifies the relationship between separation logic and traditional first- 
order logic [39] and second-order logic [2] and explains surprising expressive power 
of spatial conjunction without inductive definitions in expressing reachability proper- 
ties [14, 15]. The understanding of separation logic in connection to other formalisms 
is useful both for manual reasoning [5] and automated reasoning about programs with 
shared mutable data structures [ 1 , 6, 7, 1 0, 1 9, 34, 36, 37, 40, 4 1 , 46, 47] . Decidability and 
complexity results of underlying logics and constraint systems are particularly impor- 
tant for automated reasoning [3,4, 12, 13,26,35,38]. 

We have previously used the notion of spatial logic on relational structures in 
[30, 31] and presented a novel use of spatial conjunction to describe concatenation of 
generalized records. In [30,31] we take advantage of the definition of spatial conjunc- 
tion on relational structure to combine it with a fragment of first-order logic: we present 
a decidable extension of two-variable logic with counting and its variable-free version 
role logic [28]. The encoding of spatial conjunction in second-order logic appears in 
the technical report [31]; we have since discovered the converse (and to us more sur- 
prising) encoding. The converse encoding gives justification to the restriction in [30] 
by showing that the absence of the restriction leads to an undecidable, and in fact, ex- 
tremely expressive, logic. Moreover, the results of the present paper show how to use 
second-order quantifiers in two-variable logic while preserving decidability. The result- 
ing notation generalizes the language of boolean algebra of sets, which we have found 
useful in reasoning about data structure abstractions [32, 33]. 

7 Conclusions 

In this paper we established the expressive power of spatial conjunction by construct- 
ing an embedding from first-order logic with spatial conjunction into second-order logic 
and an embedding from full second order logic into first-order logic with spatial con- 
junction. These embeddings show that the satisfiability of formulas in first-order logic 
with spatial conjunction is equivalent to the satisfiability of formulas in second-order 
logic. This equivalence implies new decidability and undecidability results for exten- 
sions of two-variable logic with counting, decidability of (unary-predicate) spatial logic 
over trees, and the fact that inductive definitions, spatial implication, and a parameter- 
ized spatial conjunction are all expressible using first-order logic with spatial conjunc- 
tion. Finally, our connection opens up the possibility of using second-order logic as 
a unifying framework for integrating several formalisms for reasoning about dynamic 
data structures: spatial logic, monadic second-order logic on trees and graphs, and three- 
valued structures. 

Acknowledgements. We thank the participants of the Dagstuhl Seminar 03101 "Rea- 
soning about Shape" for useful discussions on separation logic, shape analysis, and 
techniques for reasoning about mutable data structures in general. The consequences 
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